Created
May 31, 2015 16:39
-
-
Save amatus/d77fef5a36f3c3188c5f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10:39 < major> well, it goes something like this: ssh-keygen -f | |
servers_CA;ssh-keygen -f users_CA | |
10:40 < major> after that: ssh-keygen -s <CA_file> -I <description> -n | |
<principals> <pubkey_file> | |
10:40 < major> for users | |
10:40 < major> and: ssh-keygen -s <CA_file> -I <description> -h -n <hostnamess> | |
<pubkey file> | |
10:40 < major> for signing host pubkeys | |
10:41 < major> you can add a @ca-authority in your authorized keys to trust all | |
signed keys by that CA | |
10:41 < major> erm | |
10:41 < major> to known_hosts | |
10:42 < major> like, take the users_CA.pub and add it to known_hosts: | |
@cert-authority *.example.com ssh-rsa ..... | |
10:42 < major> suddenly no more "do you want to trust this server" when you ssh | |
to a host with a signed cert | |
10:43 < major> the /etc/ssh/sshd_config is a little more verbose for the setup | |
10:43 < major> you need a HostCertificate entry per HostKey | |
10:43 < major> HostKey /etc/ssh/ssh_host_rsa_key | |
10:43 < major> HostCertificate /etc/ssh/ssh_host_rsa_key-cert | |
10:43 < major> HostKey /etc/ssh/ssh_host_dsa_key | |
10:43 < major> HostCertificate /etc/ssh/ssh_host_dsa_key-cert | |
10:43 < major> HostKey /etc/ssh/ssh_host_ecdsa_key | |
10:43 < major> HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert | |
10:43 < major> HostKey /etc/ssh/ssh_host_ed25519_key | |
10:43 < major> HostCertificate /etc/ssh/ssh_host_ed25519_key-cert | |
10:43 < major> when you sign a servers ssh_host_rsa_key.pub you will get an | |
ssh_host_rsa_key-cert.pub | |
10:44 < major> you just copy it back to the server and fixup the entries | |
10:44 < major> the last 2 lines you the sshd_config are the kicker | |
10:44 < major> TrustedUserCAKeys /etc/ssh/users_CA.pub (from before) | |
10:44 < major> and: AuthenticationMethods publickey,password | |
publickey,keyboard-interactive | |
10:45 < major> setting AuthenticationMethods lets you decide what is required | |
in an auth set, and the order they are required in | |
10:45 < major> spaces separate sets, commas separate methods that have to | |
succeed in that set | |
10:45 < major> the entire set has to succeed, or auth fails | |
10:46 < major> the default seems to be: AuthenticationMethods publickey | |
password keyboard-interactive | |
10:47 < major> changing it to: publickey,password | |
publickey,keyboard-interactive means that you MUST pass | |
publickey authorization before you get to the password portion, | |
and then you can pass password or keyboard-interactive to | |
complete either of the 2 set definitions | |
10:48 < major> the TrustedUserCAKeys line means that the Host will not trust | |
any old public_key, only signed keys are trusted | |
10:48 < major> so users can not bipass security | |
10:48 < major> authorized_keys is "not" security | |
10:48 < major> as I said before | |
10:49 < major> again, the vast majority of the work is just signing public keys | |
and copy them back | |
10:49 < major> and I used a user_CA which is different than the host_CA | |
10:50 < major> one of the nice things about the system is that the signed cert | |
decides what usernames are allowed for attempted logins | |
10:51 < major> ssh-keygen -s users_CA -I user_amatus -n amatus,david,dbarksdale | |
-V +36w amatus_id.pub | |
10:51 < major> so there you have a signed cert that expires in 32 weeks, and | |
which can only be used to login as one of those 3 names | |
10:51 < major> the signing authority decides who the cert can be used to login | |
as | |
10:51 < major> none of this shit with "well, I have the password to someone | |
elses account" | |
10:53 < major> and again, it doesn't even matter if their pubkey is signed or | |
not | |
10:53 < major> because I am still forcing passwords | |
10:54 < major> it makes you wonder though .. how the fuck did people ever think | |
that authorized_keys and shit like sshguard or fail2ban were | |
solutions | |
10:54 < major> authorized_keys is almost akin to letting go of ones security | |
decisions | |
10:55 < major> its saying: we are not going to challange a user w/ a password, | |
we are going to trust our users to secure their public keys, we | |
are going to trust the security on their systems | |
10:55 < major> I dunno, doesn't matter | |
10:55 < major> ignorance abounds | |
10:55 * major shrugs. | |
11:03 < major> once this approach is all setup you just require that a user | |
send you a copy of their public cert and you sign it with the | |
list of names they are allowed to login as, and you send it back | |
11:03 < major> curiously, that keeps them from using a single id_rsa.pub for | |
all of their misc shit as well | |
11:06 < major> also, considering how much memory fail2ban can consume .. this | |
approach is a lot less memory intensive | |
11:07 < major> and protects against distributed attempts to attack the | |
passwords :P | |
11:07 < major> need I say moer? | |
11:07 < major> more* even | |
11:08 < major> and, the ability to expire a signed cert is just sort of a bonus |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment